IoT Hub TLS certificate update
Published date: September 11, 2020
Microsoft is updating Azure services in a phased manner to use TLS certificates from a different set of Certificate Authorities (CAs) beginning August 13, 2020, and concluding approximately on October 26, 2020. We expect that most Azure IoT customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”).
To broadly notify customers, Microsoft had sent a Service Health portal notification on Aug 3rd, 2020, and released a public document that includes timelines, actions that need to be taken, and details regarding the upcoming changes to our Public Key Infrastructure (PKI).
This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. This was reported on July 1, 2020, and impacts multiple popular Public Key Infrastructure (PKI) providers worldwide. Today, most of the TLS certificates used by Azure services are issued from the "Baltimore CyberTrust Root" PKI.
The following services used by Azure IoT devices will remain chained to the Baltimore CyberTrust Root*, but their TLS server certificates will be issued by new Intermediate Certificate Authorities (ICAs) starting October 5, 2020:
Azure IoT Hub
Azure IoT Hub Device Provisioning Service (DPS)
Azure Storage Services
If any client application or device has pinned to an Intermediate CA rather than the Baltimore CyberTrust Root, immediate action is required to prevent disruption of IoT device connectivity to Azure. To learn more, please read our technical blog.
* Other Azure service TLS certificates may be issued by a different PKI.